Guest Post: ESET explains the recent CRA cyberattack and how Canadians can protect themselves

Last week, cybercriminals set their sights on the Canadian government when several government services were disabled following a series of cyberattacks.

On August 15, the Treasury Board Secretariat announced that approximately 11,000 online government services accounts, originating from the Government of Canada Key service (GCKey) and Canada Revenue Agency (CRA) accounts, had been victims of hacking attempts. The GCKey allows Canadians to access several Government of Canada online programs and services, including Employment Insurance services and Canada Emergency Response Benefit (CERB) payments, a support program for employees who have lost employment due to the pandemic.

On August 7, CRA noticed the first signs of credential-stuffing attacks on its website. Credential stuffingmeans criminals try to use previously stolen credentials to log into another account owned by the same victim. Unlike a brute-force attack, bad actors use previously stolen user/password combinations to access a third-party service.

The government estimates approximately 11,200 accounts have been hacked. Of these, approximately were 5,600 for the CRA and 9,000 for the KeyGC system. Of the CRA accounts affected, more than half were hacked using the GCKey access.

What can we do?

At this time, we don‘t have details about the types of data that the bad actors have accessed and whether all victims of these attacks have already been notified by the government yet.

However, since we are talking about credential-stuffing attacks, we can point out that people who usethe same credentials for multiple sites and programs are at risk of being victims of this type of attack. Various resources are available to help you find out if one of your accounts has ever been the victim of a data breach.

Even if you weren‘t a victim of cyber attackers this time around, it’s recommended to adopt better security habits now to avoid being a victim of the next attack.

First and foremost, we can never say it too much: never recycle a password. This is an easy and essential step to ensure the security of you and your data. In this case, the bad actors used previously stolen login/password combinations for their attacks.

  • Use passwords – or better yet, passphrases – that are strong and unique for each of your accounts.
  • You can use a reliable password manager to help you create and, above all, memorize strong and unique passwords.
  • Enable multi-factor authentication, whenever it’s available, to add an extra layer of security to your accounts.
  • Regularly check your personal records for anomalies, especially if you have been the victim of data theft.

For more information about cybersecurity, please visit

Leave a Reply

%d bloggers like this: